Sessions and SSL

cap97

I started dabbling with sessions yesterday to some success. I created a page called accesscontrol.php, which basically allows me to restrict pages to user acccess only. If I place include("accesscontrol.php") on the top of each page I want protected, accesscontrol.php basically looks for a stored session, and if there isn't one, prompts for a username and password, verifies if the user/password exists in the database, and creates a session, opening up the protected page. All very cool, exactly what I wanted, etc.

However, I'm concerned about security. I have no "hacking" abilities or experience, so I don't really understand how it works. How safe are sessions? I'm encrypting entered password's with MySQL but I feel the form should perhaps be used on an SSL page. My hosting provider offers security by altering the URL of any page we want secure.

So instead of:

http://www.mydomain.com/form.php

I could type:

https://www.theirdomain.com/~myuser/form.php

and the page would be secure. But I don't want to secure every page that requires a user, rather just the submission forms. I'm not sure how to make it so if accesscontrol.php is called for, it pops up on the SSL, but otherwise the page pulls up normal. Does this make sense at all? Or do I even have to worry about this? Does phpbuilder log me in on an SSL? Does it matter?

frymaster

to use ssl you need to have ssl support compiled in to apache. if your provider has ssl that's great, but you'll want ssl on your local development box probably so you may need to recompile there.
you will need a certificate for your ssl connection. when you compile apache with mod_ssl you are given the option to create a "test" certificate (this is called the "snake oil" certificate for reasons not really clear to me). this certificate will work, but it is not "authenticated" - meaning that a trusted third party such as verisign has not vouched that the certificate is good and your site is who it claims to be. do not use the snakeoil cert for a live production site! verisign certs are expensive and they're probably the company your provider uses.
you can easily write a short chunk of code to force a given page to load under ssl:

$getline="?".getenv("QUERY_STRING");
if($HTTPS != "on")
header("Location: [url]https://[/url]$HTTP_HOST$PHP_SELF$getline");

once you are in ssl, all relative links will stay in ssl. that is, if you are at

https://foo.com/index.php

and you click a link that looks like:

&lt:a href="bar.php">

you will wind up at:

https://foo.com/bar.php

sill in ssl... to get out of ssl after that you should have an absolute link. ie, one that looks like:

then you're out.

cap97

Hmm...we're on to something here. I've managed to make it go into SSL mode when calling the accesscontrol.php page. But now, like you said, all links after logging in are also in SSL mode, which probably won't do. I'm pretty sure my host wouldn't want me to make my entire site called up in SSL. Heh. I can't break it with a direct link unless I direct link my entire site, which would suck. I tried to have accesscontrol.php break it's SSL header after finishing it's verification, but that just gave me error messages. In addition, it seems as if sessions created in an SSL environment don't carry over to plain old non-secure pages, which also isn't good. Any thoughts?

minorgod

Your problem with losing session on the transition between SSL/non-ssl pages is because sessions are stored in cookies in the client browser. Cookies are domain-specific, meaning a cookie for http://www.yourdomain.com will be different than a cookie for https://www.yourdomain.com. The way to get around this problem is to store sessions in your database. There are several decent tutorials floating around out there and I think there's one on this site as well. Basically, you define a set of custom session handler functions that take over all of PHP's session handling functions. It's a bitch the first time you do it, but once you get it working, your sessions work exactly like they did before. You do not need to alter any of your application code where sessions are used, you just need to redefine how sessions are handled so PHP will transparently save sessions to a database rather than a text file on the server.

Good luck.